{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# Detect Prohibited Applications Spawning cmd exe Unit Test\n",
    "\n",
    "#### This search looks for executions of cmd.exe spawned by a process that is often abused by attackers and that does not typically launch cmd.exe. This is a SPL2 implementation of the rule `Detect Prohibited Applications Spawning cmd.exe`\n",
    "\n",
    "Source: https://github.com/splunk/security-content/blob/develop/detections/endpoint/prohibited_apps_spawning_cmdprompt___ssa.yml"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 92,
   "metadata": {
    "execution": {
     "iopub.execute_input": "2020-10-15T00:21:43.611728Z",
     "iopub.status.busy": "2020-10-15T00:21:43.611411Z",
     "iopub.status.idle": "2020-10-15T00:21:43.615239Z",
     "shell.execute_reply": "2020-10-15T00:21:43.614712Z",
     "shell.execute_reply.started": "2020-10-15T00:21:43.611700Z"
    }
   },
   "outputs": [],
   "source": [
    "import json\n",
    "data='{\"process_path\":\"c:\\\\\\windows\\\\\\system32\",\"process_name\":\"cmd.exe\",\"process\":\"C:\\\\\\Windows\\\\\\system32\\\\\\cmd.exe\",\"parent_process_name\":\"C:\\\\\\Program Files\\\\\\Microsoft Office\\\\\\winword.exe\",\"dest_user_id\":\"eyJlbnRpdHlUeXBlIjoiVVNFUiIsInByaW1hcnlBcnRpZmFjdCI6ImFkbWluaXN0cmF0b3IiLCJwcmltYXJ5QXJ0aWZhY3RUeXBlIjoiV0lORE9XU19BQ0NPVU5UX05BTUUifQ\",\"dest_device_id\":\"eyJlbnRpdHlUeXBlIjoiREVWSUNFIiwicHJpbWFyeUFydGlmYWN0Ijoid2luLWRjLTY1NjUwNzEiLCJwcmltYXJ5QXJ0aWZhY3RUeXBlIjoiRE5TIn0\",\"_time\":\"1602004409000\"}'\n",
    "json.loads(data)\n",
    "with open(\"detect_prohibited_applications_spawning_cmd_exe.json\", \"w\") as outfile:\n",
    "    outfile.write(data)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 94,
   "metadata": {
    "execution": {
     "iopub.execute_input": "2020-10-15T00:22:58.225618Z",
     "iopub.status.busy": "2020-10-15T00:22:58.225357Z",
     "iopub.status.idle": "2020-10-15T00:22:59.362013Z",
     "shell.execute_reply": "2020-10-15T00:22:59.361508Z",
     "shell.execute_reply.started": "2020-10-15T00:22:58.225596Z"
    }
   },
   "outputs": [
    {
     "data": {
      "application/vnd.jupyter.widget-view+json": {
       "model_id": "c2d2b32468a04f8a8bb7eafd174e5c5d",
       "version_major": 2,
       "version_minor": 0
      },
      "text/plain": [
       "HBox(children=(HTML(value=''), FloatProgress(value=0.0, max=5.0), HTML(value='')))"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    },
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      " Finished.                     "
     ]
    },
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>start_time</th>\n",
       "      <th>dest_device_id</th>\n",
       "      <th>field0</th>\n",
       "      <th>entities</th>\n",
       "      <th>process_name</th>\n",
       "      <th>end_time</th>\n",
       "      <th>dest_user_id</th>\n",
       "      <th>parent_process</th>\n",
       "      <th>body</th>\n",
       "      <th>value</th>\n",
       "      <th>input_event</th>\n",
       "      <th>timestamp</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>2020-10-06 17:13:29</td>\n",
       "      <td>eyJlbnRpdHlUeXBlIjoiREVWSUNFIiwicHJpbWFyeUFydG...</td>\n",
       "      <td>winword.exe</td>\n",
       "      <td>[eyJlbnRpdHlUeXBlIjoiREVWSUNFIiwicHJpbWFyeUFyd...</td>\n",
       "      <td>cmd.exe</td>\n",
       "      <td>2020-10-06 17:13:29</td>\n",
       "      <td>eyJlbnRpdHlUeXBlIjoiVVNFUiIsInByaW1hcnlBcnRpZm...</td>\n",
       "      <td>c:\\program files\\microsoft office\\winword.exe</td>\n",
       "      <td>TBD</td>\n",
       "      <td>{\"process_path\":\"c:\\\\windows\\\\system32\",\"proce...</td>\n",
       "      <td>{'process_path': 'c:\\windows\\system32', 'proce...</td>\n",
       "      <td>2020-10-06 17:13:29</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "           start_time  ...           timestamp\n",
       "0 2020-10-06 17:13:29  ... 2020-10-06 17:13:29\n",
       "\n",
       "[1 rows x 12 columns]"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    },
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "\n"
     ]
    },
    {
     "data": {
      "text/plain": [
       "<spl2_kernel.spl2_runner.SPL2Job at 0x7fd58e124e50>"
      ]
     },
     "execution_count": 94,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "| from read_text(\"s3://smle-experiments/datasets/ssa/detect_prohibited_applications_spawning_cmd_exe.json\")\n",
    "| eval input_event=from_json_object(value)\n",
    "\n",
    "| eval timestamp=parse_long(ucast(map_get(input_event, \"_time\"), \"string\", null))\n",
    "| eval process_name=ucast(map_get(input_event, \"process_name\"), \"string\", null),\n",
    "parent_process=lower(ucast(map_get(input_event, \"parent_process_name\"), \"string\", null)),\n",
    "dest_user_id=ucast(map_get(input_event, \"dest_user_id\"), \"string\", null),\n",
    "dest_device_id=ucast(map_get(input_event, \"dest_device_id\"), \"string\", null)\n",
    "| where process_name=\"cmd.exe\"\n",
    "| rex field=parent_process \"(?<field0>[^\\\\\\\\]+)$\"\n",
    "| where field0=\"winword.exe\" OR\n",
    "        field0=\"excel.exe\" OR\n",
    "        field0=\"outlook.exe\" OR\n",
    "        field0=\"powerpnt.exe\" OR\n",
    "        field0=\"visio.exe\" OR\n",
    "        field0=\"mspub.exe\" OR\n",
    "        field0=\"acrobat.exe\" OR\n",
    "        field0=\"acrord32.exe\" OR\n",
    "        field0=\"chrome.exe\" OR\n",
    "        field0=\"iexplore.exe\" OR\n",
    "        field0=\"opera.exe\" OR\n",
    "        field0=\"firefox.exe\" OR\n",
    "        field0=\"java.exe\" OR\n",
    "        field0=\"powershell.exe\"\n",
    "| eval start_time=timestamp,\n",
    "end_time=timestamp,\n",
    "entities=mvappend(dest_device_id, dest_user_id),\n",
    "body=\"TBD\";"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": []
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": "SPL2",
   "language": "SPL",
   "name": "spl2"
  },
  "language_info": {
   "mimetype": "text/spl",
   "name": "SPL"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}
